Pipelock includes structured mappings between its runtime security controls and five external compliance frameworks. These are control mappings with evidence generation, not compliance certifications. They document which controls Pipelock addresses and what evidence the product can emit.
Mapped Frameworks
| Framework | Scope | Controls Mapped |
|---|---|---|
| OWASP MCP Top 10 | MCP protocol security risks | 10 controls (MCP01-MCP10) |
| OWASP Agentic Top 10 | AI agent application risks | 10 controls (ASI01-ASI10) |
| MITRE ATLAS | Adversarial ML threat techniques | Reconnaissance, discovery, exfiltration techniques |
| EU AI Act | Articles 12, 13, 14, 26 | Record-keeping, transparency, human oversight, deployer monitoring |
| SOC 2 Trust Services Criteria | Security, availability, processing integrity, confidentiality, privacy | 5 criteria (SEC, AVA, PI, CONF, PRIV) |
In addition, Pipelock maps to NIST SP 800-53 Rev. 5 across 7 control families:
- AC – Access Control (tool policy, per-agent profiles, sandbox)
- AU – Audit and Accountability (structured events, SARIF, OTLP)
- CA – Assessment, Authorization, and Monitoring (continuous monitoring)
- CM – Configuration Management (audit score, hot reload validation)
- IR – Incident Response (kill switch, emit pipeline, flight recorder)
- SC – System and Communications Protection (DLP, capability separation, TLS)
- SI – System and Information Integrity (scanner pipeline, binary integrity)
Generating Evidence with pipelock assess
The pipelock assess command orchestrates four security primitives into a reproducible, optionally signed evidence bundle:
pipelock assess init --config pipelock.yaml
pipelock assess run assessment-a1b2c3d4/
pipelock assess finalize assessment-a1b2c3d4/
Init creates a run directory with a manifest and a SHA-256 hash of your config file. Run executes the assessment primitives: attack simulation, audit scoring, installation verification, and MCP server discovery. Finalize synthesizes the results into a scored report (JSON and HTML) and optionally signs the manifest with Ed25519.
Additional finalize options:
pipelock assess finalize assessment-a1b2c3d4/ --archive # .tar.gz bundle
pipelock assess finalize assessment-a1b2c3d4/ --attestation # attestation.json + signature
pipelock assess finalize assessment-a1b2c3d4/ --badge # SVG badge (requires --attestation)
Verify a previous assessment with pipelock assess verify or pipelock assess verify-attestation.
SARIF Output for GitHub Code Scanning
Pipelock’s audit and git scan-diff commands support SARIF v2.1.0 output:
pipelock audit --format sarif -o results.sarif
pipelock git scan-diff --format sarif -o results.sarif
Upload the SARIF file using the github/codeql-action/upload-sarif action. Findings appear as inline annotations on pull request diffs, integrating security scanning into your existing code review workflow.
What Each Primitive Tests
| Primitive | What It Does |
|---|---|
simulate | Runs 31 synthetic attack scenarios (DLP exfiltration, prompt injection, tool poisoning, SSRF, URL evasion) plus 6 per canary token. Verifies the correct scanner layer detected each attack |
audit-score | Scores your config across 12 security categories (0-100, A-F grade) with tool policy overpermission audit |
verify-install | 10 deterministic checks verifying the scanning pipeline and network containment are operational |
discover | Scans MCP server configs across IDEs and reports which servers lack Pipelock wrapping |
Licensing
Unlicensed users get a summary projection without cryptographic signature. Licensed users get the full assessment with Ed25519 signed manifests, attestation documents, and SVG badges. All detection and scanning features are free and open source; the paid tier adds signed evidence packaging.